Late last month, the United States Court of Appeals for the District of Columbia filed its decision in Kaspersky Lab, Inc. v. United States Department of Homeland Security, 18-5176, 2018 WL 6252798 (D.C. Cir. Nov. 30, 2018), upholding a congressional prohibition on the use of Kaspersky Lab products by federal agencies. The court ruled against Kaspersky Lab in concluding Kaspersky Lab failed to adequately allege Congress’s prohibition amounted to an unconstitutional legislative punishment. The court’s ruling additionally allowed to stand a narrower directive of the Department of Homeland Security (DHS), which Kaspersky Lab also challenged.

While the case’s holding turns on constitutional law and federal government procurement, the mechanism by which the government addressed a cybersecurity risk is a legal one. The approach highlights a role for legal counsel to play in cybersecurity, through assessment of vendor, contractor, or supply chain risk, whether when advising on corporate governance or performing contract review.

In Kaspersky Lab Inc., in consolidated cases, Kaspersky Lab challenged a directive of DHS and challenged the National Defense Authorization Act for Fiscal Year 2018 (NDAA), both of which prohibited the use of Kaspersky Lab products by the federal government.

Kaspersky Lab is a major cybersecurity vendor, perhaps most well known for its anti-virus software. It garneredmediaattention following the 2016 presidential election for its purported ties to the Russian government.

Per the facts of the case, Kaspersky Lab’s troubles began in spring 2017, when, among other reports, congressional hearings highlighted ties between Kaspersky Lab’s founder and Russia’s modern-day successor of the KGB. At one such hearing, the heads of various U.S. intelligence agencies were asked whether they would install Kaspersky software on their own computers. All replied no.

Subsequent to the hearings, in September 2017 DHS issued a directive, which required federal agencies to begin removing “Kaspersky-branded products” within 90 days, based on “the risks presented.” National Protection and Programs Directorate; Notification of Issuance of Binding Operational Directive 17-01 and Establishment of Procedures for Responses, 82 Fed. Reg. 43782-02. This directive underlies the first of Kaspersky Lab’s two consolidated actions.

Congressional hearings on the topic of Kaspersky products continued throughout 2017, including a review of DHS’s rationale in issuing its directive. Before a House committee, DHS explained the concerns leading to the directive, as summarized by the D.C. Circuit:

First, “certain Kaspersky officials” enjoy “ties” to “Russian intelligence and other government officials.” Second, Russian law “allow[s] Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.” And third, all antivirus software, including Kaspersky’s, receives “broad access” to the systems on which it operates. So like a thief who has stolen a security guard’s master key, a cyberattacker can exploit antivirus software’s “elevated privileges” to inflict serious damage on the systems the software ostensibly protects. In the Department’s view . . . the Directive “is a reasonable, measured approach to the information security risks posed by . . . [Kaspersky] products to the federal government.”

Kaspersky Lab, Inc., at *2 (citing Bolstering the Government’s Cybersecurity: A Survey of Compliance with the DHS Directive: Hearing Before the House Subcommittee on Oversight, House Committee on Science, Space, and Technology, 115th Cong. 22 (2017))

Later in 2017, Congress passed the National Defense Authorization Act (NDAA) for Fiscal Year 2018, which included a provision prohibiting any element of the federal government from using “hardware, software, or services developed or provided” by Kaspersky Lab or entities controlled by Kaspersky Lab. The president signed theact in mid-December 2017. The NDAA was the target of Kaspersky Lab’s second consolidated action.

The district court consolidated the two actions to resolve cross-motions for summary judgment and the government’s motions to dismiss both cases. The district court granted the motion to dismiss the complaint against the NDAA, concluding Kaspersky Lab failed to adequately allege the Act’s prohibition on the use of Kaspersky Lab products and services was a Bill of Attainder under the Constitution. Additionally, the district court concluded invalidating the directive alone would redress none of Kaspersky Lab’s injuries, because NDAA covers more products and agencies than DHS’s directive. Consequently, the district court dismissed that action for lack of standing.

On appeal, the Court of Appeals for the D.C. Circuit agreed, determining through analysis of a straightforward three-part test, Kaspersky Lab failed to adequately allege Congress effected an impermissible legislative punishment by way of the NDAA’s proscription on the use of Kaspersky Lab products and services. The holding allowed to stand the NDAA’s prohibition, as well as the directive from DHS.

The court’s holding and reasoning is of limited import for most attorneys but, notably, the mechanism by which the government addressed a cybersecurity risk was a legal one. This approach demonstrates a role for law and thus for lawyers in shaping cybersecurity policy and practice. Counsel advising on corporate policy, or assessing risks present in contracts, may well consider the role that cybersecurity plays across all business functions.

Further, it bore mention to DHS in their statements to Congress—and to the D.C. Circuit in its analysis—to address the particularly broad system access granted to antivirus software. In this way, both highlighted the importance of evaluating the scope of risk presented by individual technologies and technology-based partnerships. On this point too, there is a role for counsel in weighing and advising on those cybersecurity risks.

___________________________

Peter F. Johnson, Esq. is the director of technology at the Superior Court of Pennsylvania

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.